ENS consulting: how to choose your implementation partner.

Implementing the ENS (Spanish National Security Framework) requires specialised knowledge that most organisations do not have in-house. An experienced ENS consultant not only accelerates the adequacy process but avoids costly errors that can delay certification by months and significantly increase project budget. This guide helps you understand what to expect from an ENS consultancy and how to select the right partner for your organisation.

What exactly does an ENS consultant do?

An ENS consultant carries out a set of specialised activities covering the full adequacy lifecycle. In the diagnostic phase, the consultant evaluates the organisation's current security posture, identifies gaps against ENS requirements and produces a realistic project plan with timelines, resources and costs in €.

In the categorisation phase, they determine the system category (BASIC, MEDIUM or HIGH) by valuing each security dimension (DICAT) according to the information processed and services provided. This valuation is critical because it conditions the number and stringency of applicable controls.

In the risk analysis phase, the consultant runs the full process with MAGERIT: asset inventory, threat identification, impact and probability valuation, safeguard selection and residual risk calculation. They typically use the CCN PILAR tool to automate calculations.

In the implementation phase, they advise and accompany the implementation of applicable controls, draft or review system documentation (policy, standards, procedures, records) and verify that technical measures are correctly implemented.

In the verification phase, they perform the pre-certification internal audit, identify non-conformities to be corrected and accompany the organisation through the external certification audit.

Criteria for choosing an ENS consultancy

Demonstrable ENS experience

This is the most important criterion. The ENS has very specific peculiarities that set it apart from other security frameworks. Ask how many ENS adequacy projects the consultancy has completed, in what categories (BASIC, MEDIUM, HIGH), for what type of organisations (Spanish Public Administration bodies, ICT providers, service companies) and with what first-time success rate at audit.

An experienced consultant knows the auditors' criteria, the critical points where non-conformities usually appear and the most efficient technical solutions for each control.

Knowledge of MAGERIT and PILAR

Risk analysis is the cornerstone of the ENS. The consultant must master MAGERIT and be a competent user of PILAR. Be wary of consultancies proposing to do the risk analysis with generic methodologies not recognised by the CCN.

Real technical capability

The ENS requires not only documentation but technical implementation of controls: firewall configuration, network segmentation, encryption, identity management, monitoring, system hardening. The consultant must have technical profiles able to verify and guide implementation, not only document it on paper.

Knowledge of the public sector

If your organisation is part of the Spanish Public Administration or supplies it, it is essential that the consultant knows the peculiarities of public procurement, administrative procedures, the typical organisational structure of administrations and how the CCN tools (INES, LUCIA, CLARA) work.

Independence from the certifying body

The consultant advising on implementation cannot be the same body that certifies you. This is an independence requirement that guarantees audit impartiality. Verify there are no conflicts of interest.

Red flags when selecting an ENS consultancy

Certain signs should make you discard a consulting provider. Abnormally low prices usually mean the work will be done superficially or with generic templates that do not adapt to your reality. Promises of "guaranteed certification" are irresponsible since the final decision rests with the external auditor. Lack of verifiable references indicates inexperience. A purely documentary proposal, with no technical component, will produce a paper-only management system that will not survive the on-site audit. And the absence of knowledge transfer will leave your organisation dependent on the consultant to maintain the system.

Typical phases of an ENS consulting project

A well-managed ENS adequacy project follows a predictable sequence of phases.

The first phase is diagnosis and planning, lasting 2-4 weeks. The consultant analyses the current situation, identifies gaps, categorises the system and produces the project plan.

The second phase is the risk analysis, 4-8 weeks. Asset inventory, DICAT valuation, threat identification and risk calculation with MAGERIT/PILAR are performed.

The third phase is documentary work, 4-8 weeks. The security policy, standards, operational procedures and Statement of Applicability are drafted or updated.

The fourth phase is control implementation, 8-20 weeks. It is the most variable phase as it depends on the technical starting point. It includes technical measures, staff training and security process roll-out.

The fifth phase is the internal audit and adjustment, 3-6 weeks. An internal audit simulating the certification audit is run, non-conformities are identified and corrected.

The sixth phase is certification support, 2-4 weeks. The consultant prepares the organisation for the external audit and may be present during it as technical support.

Indicative ENS consulting costs in 2026

Costs vary by project complexity, but as a reference for the Spanish market in 2026 the following ranges apply.

For an SME with BASIC category, consulting can range from €5,000 to €12,000, since only a statement of conformity is required. For MEDIUM category, the usual range is €12,000 to €35,000. For HIGH category or complex systems, costs typically exceed €35,000 and can reach €60,000-80,000 for large organisations.

These costs do not include the external certification audit, which is contracted directly with the ENAC-accredited body.

The Spanish Government's Kit Consulting programme can fund up to €24,000 of your ENS consulting project.

Why a specialised consultant makes the difference

The difference between tackling the ENS with specialised advice or without it is measured on three variables: time (a consultant cuts the average timeframe by around 40%), cost (avoiding errors that force phases to be repeated) and first-time audit success probability (above 90% with an experienced consultant vs. 50-60% without advice).

In addition, a good consultant does not just prepare you for certification: they leave you with a security management system that works day to day and the capability to maintain it autonomously.

📩 Looking for a trusted ENS consultant? Let's talk for an initial diagnosis with no commitment. We will assess your situation and give you a clear action plan with transparent timelines and costs in €.

Need help with this? Get in touch — first 45-minute session at no cost, with a clear action plan and transparent costs in €.

---

Author: Ángel Ortega Castro — independent consultant in strategy, quality and digitalisation for Spanish SMEs and public administrations.